{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27602", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.602Z", "datePublished": "2026-03-25T18:49:25.825Z", "dateUpdated": "2026-03-26T15:38:37.459Z"}, "containers": {"cna": {"title": "Modoboa has an OS Command Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m"}, {"name": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa", "tags": ["x_refsource_MISC"], "url": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa"}, {"name": "https://github.com/modoboa/modoboa/releases/tag/2.7.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/modoboa/modoboa/releases/tag/2.7.1"}], "affected": [{"vendor": "modoboa", "product": "modoboa", "versions": [{"version": "< 2.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T18:49:25.825Z"}, "descriptions": [{"lang": "en", "value": "Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue."}], "source": {"advisory": "GHSA-wwv8-cqpr-vx3m", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:38:34.373097Z", "id": "CVE-2026-27602", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:38:37.459Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27602", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:38:34.373097Z"}}}], "references": [{"url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:38:28.266Z"}}], "cna": {"title": "Modoboa has an OS Command Injection", "source": {"advisory": "GHSA-wwv8-cqpr-vx3m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "modoboa", "product": "modoboa", "versions": [{"status": "affected", "version": "< 2.7.1"}]}], "references": [{"url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m", "name": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa", "name": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/modoboa/modoboa/releases/tag/2.7.1", "name": "https://github.com/modoboa/modoboa/releases/tag/2.7.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T18:49:25.825Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27602", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:38:37.459Z", "dateReserved": "2026-02-20T19:43:14.602Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T18:49:25.825Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:modoboa:modoboa:*:*:*:*:*:*:*:*", "matchCriteriaId": "7671912F-6179-481E-BD53-77F68BD56B70", "versionEndExcluding": "2.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Modoboa is a mail hosting and management platform. Prior to version 2.7.1, `exec_cmd()` in `modoboa/lib/sysutils.py` always runs subprocess calls with `shell=True`. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server. Version 2.7.1 patches the issue."}], "id": "CVE-2026-27602", "lastModified": "2026-03-26T16:30:21.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T19:16:48.430", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/modoboa/modoboa/commit/27a7aa133d3608fe8c25ae39125d1012c333cbfa"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/modoboa/modoboa/releases/tag/2.7.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/modoboa/modoboa/security/advisories/GHSA-wwv8-cqpr-vx3m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "modoboa", "source": "cna", "vendor": "modoboa"}, "product": "modoboa", "vendor": "modoboa"}], "analysis": {"en": {"generated_at": "2026-03-26T17:29:30.612797+00:00", "value": {"mitigation_remediation": ["Apply Modoboa patch version 2.7.1 or later", "Verify all instances run only post\u20112.7.1 releases", "Limit or review Reseller and SuperAdmin privileges to restrict domain name changes", "Monitor system logs for unexpected shell execution patterns"], "summary": {"action": "Immediate Patch", "impact": "OS Command Injection enabling arbitrary command execution"}, "threat_synthesis": {"affected_systems": "All Modoboa mail hosting deployments running a version earlier than 2.7.1 are affected, provided the user has Reseller or SuperAdmin permissions to create or edit domain names. Vendors and users of Modoboa should verify the running version and apply the 2.7.1 release, which removes the unsanitized shell invocation.", "description_and_impact": "The vulnerability resides in Modoboa\u2019s exec_cmd function, which invokes subprocess calls with shell=True and directly incorporates domain names into the command string without sanitization. An attacker who can modify a domain name\u2014such as a Reseller or SuperAdmin\u2014can inject shell metacharacters to execute arbitrary operating\u2011system commands, compromising confidentiality, integrity and availability of the host system.", "risk_and_exploitability": "The CVSS score of 7.2 indicates moderate to high severity; the EPSS score of less than 1% suggests low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Inference indicates that an attacker can exploit the vulnerability remotely through the web interface by configuring a domain name that contains shell metacharacters, allowing execution of arbitrary commands on the server."}}}}, "created": "2026-03-25T21:46:26.045395+00:00", "updated": "2026-03-27T09:30:17.261049+00:00", "vendors": ["modoboa", "modoboa$PRODUCT$modoboa"]}